'Cookie walls' guidance repealed in France

Out-Law News | 07 Jul 2020 | 8:36 am | 2 min. read

The French data protection authority has confirmed it will issue revised guidance on the use of so-called 'cookie walls' following a recent decision by Conseil d'Etat, the French Council of State.

The Commission nationale de l'informatique et des libertés (CNIL) published guidelines on cookies and other connection trackers last year which, among other things, placed an absolute ban on online companies preventing customers from accessing their services unless they gave their consent to the use of 'cookies'. Those guidelines were issued to help businesses meet their obligations on the use of cookies under the General Data Protection Regulation (GDPR).

In a decision last month, the French Council of State, the highest administrative authority in France, said that the CNIL had exceeded its powers with such a ban, and repealed that part of the CNIL guidelines.

Paris-based data protection law expert Pauline Binelli of Pinsent Masons, the law firm behind Out-Law, said: "The CNIL's guidelines stated: 'The Commission considers that consent can be valid only if the person concerned is able to exercise his or her choice validly and does not suffer major inconvenience in the event of the absence or withdrawal of consent'. In practice, if a user did not want to consent to the monitoring of his or her browsing by means of depositing cookies and connection trackers, the editor of the website could not, under any circumstances block access to the website."

In a statement, CNIL said: "The Council of State considered that by deducting this general prohibition from the GDPR, the CNIL had gone beyond what is legally possible with guidelines, which are an instrument of 'soft law'.

The Commission will have to take note of the Council of State's decision and will have to comply strictly with it. The guidelines will be adjusted to the strict extent necessary to draw the consequences of the decision of the Council of State.

Cookies are small text files that record internet users' online activity. The use of 'cookie walls' has proven controversial and attracted substantial scrutiny, with a number of data protection authorities across Europe issuing different guidelines on the topic, including in the UK and more recently in Ireland.

Binelli said that while the Council of State had endorsed most of the CNIL's cookies guidance, there was another aspect of the guide that it had taken issue with.

"The guidelines were also criticised because they created an obligation for online service providers to ensure that each internet user was able to 'provide independent and specific consent for each distinct purpose' behind their use of cookies," Binelli said. "This principle is also mentioned in the French Data Protection Act. However, this requirement represents a burdensome obligation, both in terms of presentation and usability, for a data controller that wishes to deposit cookies or other trackers."

"On this point, the Council of State specifies that this requirement implies that, when the consent is given globally, it must be preceded by information specific to each of the purposes. The contested passage in the guidelines merely reiterates this requirement, without imposing on operators any particular technical modalities – whether global consent or purpose by purpose – for the collection of consent. The CNIL has said it will address this point in a new recommendation to be issued after September this year, with the Council of State requiring that this recommendation is only published following public consultation," she said.